HashiCorp Nomad Privilege Escalation via Unredacted Workload Identity Tokens
CVE-2024-12678 Published on December 20, 2024
Nomad Allocations Vulnerable To Privilege Escalation Within A Namespace Using Unredacted Workload Identity Tokens
Nomad Community and Nomad Enterprise ("Nomad") allocations are vulnerable to privilege escalation within a namespace through unredacted workload identity tokens. This vulnerability, identified as CVE-2024-12678, is fixed in Nomad Community Edition 1.9.4 and Nomad Enterprise 1.9.4, 1.8.8, and 1.7.16.
Weakness Type
Incorrect Privilege Assignment
A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
Products Associated with CVE-2024-12678
Want to know whenever a new CVE is published for HashiCorp Nomad? stack.watch will email you.
Affected Versions
HashiCorp Nomad:- Version 1.4.0 and below 1.9.4 is affected.
- Version 1.4.0 and below 1.9.4 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.